[funsec] dumb. Comcast pop-ups
rsk at gsp.org
Mon Oct 12 08:05:07 CDT 2009
On Sun, Oct 11, 2009 at 10:03:26PM -0400, Larry Seltzer wrote:
> >> If they are not...
> I think it's fair to assume that a very high percentage of these users
> will have at least one malicious system behind the cable modem. We're
> pretty good at recognizing that now, aren't we?
I'm not sure what you mean. Yes, infection rates are high and steadily
rising, so it's a decent bet that any household chosen at random will have
at least one system with at least some issues, but our ability to detect
these (from outside) depends entirely on what they're doing. A spam-spewing
bot sticks out like a sore thumb, but a compromised system which is not
making itself so readily visible may go undetected indefinitely.
Given what we've observed during this decade about botnet operators, I think
they are *easily* smart enough to hold huge numbers of systems in reserve.
So I think "the set of systems that appear to be bots and are spewing spam"
is just the tip of the iceberg. But even if that's true: it still doesn't
tell us which ones. Figuring that out requires visiting all of them,
booting them from known-clean media, running the appropriate tools,
analyzing the results, etc., and that's time-consuming and expensive.
So instead we have PR exercises like this rubbish from Comcast.
> >> If they are, then what POSSIBLE reason is there to believe that the
> users will actually see these pop-ups? It is, after all, not in the
> best interests of the new owners of those compromised systems to permit
> the former owners to be alerted to what's going on.
> Of course there's no evidence that any malware is yet blocking such
> messages. One day when that happens it will be a problem. In the
> meantime this is a fairly unobtrusive way for Comcast to communicate
> with users. When it's blocked they'll have to find another.
Of course there isn't. But do you really think that people clever enough
to rewrite bank statements on the fly will have any technical difficulty
at all deploying the code to block those pop-ups? My guess is that they'll
assign the task to some junior programmer whenever they feel it's worth
troubling themselves to swat this annoying little fly.
More broadly: one of the reasons we find ourselves where we do is that
we think too much about what the adversary IS doing instead of what the
adversary COULD be doing. It's a failure of imagination. It's why they're
so far ahead of us and pulling further away every day.
More information about the funsec